User Onboarding, Offboarding, and Everything in Between

Can you rely solely on automation to bring new employees onboard, and to offboard them when they leave? Tal Herman, Lead Product Manager at our Partner Onelogin explores more in this blog.

Automation can be critical to onboarding employees quickly and efficiently, granting them access to what they need and only what they need to perform their job. Automation is even more critical when people part ways with the organization and need to have their application access removed, providing a thoroughness that manual efforts can’t match. Fail to remove access in time or miss a key access point, and you’re looking at a security violation and possible damage to your organization and customers, not to mention a potential compliance violation. In fact, one in five organizations report data breaches as a result of incomplete deprovisioning.

Those are what I call the “blind spots” of the traditional onboarding and offboarding process.

As a former identity & access management (IAM) administrator, I used to struggle with those blind spots. On the one hand, I wanted to empower business managers, allowing them to manage their applications while we in IT served as the governance layer, making sure that access was appropriately monitored and removed when employees left the organization. But how would we control applications that were manually provisioned? There were plenty of applications that didn’t support an automated process, whether legacy applications, form-fill applications, or apps that required admin-level configuration.

So how are we at OneLogin shedding some light on those blind spots?

For the last few months, we’ve been working with customers on a new compliance feature called Task Lists, which includes user Onboarding and Offboarding workflows that you can use to track automated and manual tasks.

You can use this feature to ensure that none of a user’s application accounts are left behind. When users join or leave an organization, OneLogin automatically generates a list of tasks, including those that require an administrator’s attention and manual intervention.

For onboarding, we automatically assign roles and give application access based on your OneLogin mappings. If any of those applications require admin approval or manual assignment, we create a manual task for the admin to complete. Once you complete a task, simply check it off your list and move on.

In the case of offboarding, we automatically deactivate the user without deleting them (to ensure that you don’t lose user-related data), suspend the user’s app access, stop mappings from running on the user, and list all of the applications that require manual deprovisioning. We leave the final “delete user” step as a manual one for you or another admin to take.

All administrators with super admin privilege will be notified of every user who requires onboarding or offboarding. Also, every task gets logged as an event, providing you with an audit trail for each step of the way. You can send these events to a SIEM system of your choice, including Splunk, ELK, and Sumo Logic.

It takes just one click to turn the feature on and configure it! Just log in as an administrator and click the Notifications bell in the menu bar.

Here at OneLogin, governance and compliance are vital priorities. OneLogin Task Lists is just one of many upcoming governance features that we can’t wait to show you!